Cybersecurity company ESET has released new findings on Telekopye, a fraud toolkit designed to help cybercriminals defraud people in online marketplaces. According to the data, Telekopye groups have extended their targeting to popular accommodation booking platforms such as Booking.com and Airbnb. The attackers are using compromised accounts of hotels and accommodation renters.

ESET researchers discovered that the organized fraud network Telekopye has expanded its activities to target users of popular accommodation booking platforms such as Booking.com and Airbnb. They have also increased sophistication by targeting booking sites with victim selection. Phishing pages became more believable than regular online marketplaces. Telekopye is a toolkit that works as a Telegram bot that turns online marketplace scams into illegal organized businesses. It is used by dozens of scam groups with thousands of members to steal millions of Euros from their victims. ESET Research presented the latest findings on Telekopye at the 2024 Virus Bulletin conference.

Booking scams gain traction in 2024

In the Telekopye fraud network, scammers refer to the buyers and sellers they target as Mammoths. The fraudsters, dubbed Neanderthals by ESET researchers, require little or no technical knowledge; Telekopye takes care of everything in a matter of seconds. According to ESET telemetry, booking scams gained traction in 2024. Hospitality-themed scams spiked sharply in July and for the first time more than doubled in detection, surpassing Telekopye's marketplace scams. The two categories continued at similar levels in August and September.

The growing popularity of online marketplaces has led to fraudsters preying on unsuspecting buyers and sellers, looking to capture credit card details rather than negotiate. Since this surge in booking fraud coincides with the summer vacation season in the targeted regions - the best time to take advantage of people booking accommodation - time will tell if this trend will continue. According to 2024 data, these new scams have reached about half the number of detections of marketplace variants. The new scams mainly focus on two platforms (Booking.com and Airbnb) compared to the wide range of online marketplaces targeted by Telekopye.

Fraud starts with an email

In this new scam scenario, fraudsters send an email to the targeted user of one of these platforms, claiming that there is a problem with their booking payment. The email contains a link to a well-crafted, legitimate-looking web page that mimics the exploited platform. The page contains pre-populated information about a booking, such as check-in and check-out dates, price and location, and the information provided on the fake pages matches the actual bookings made by the targeted users.

Radek Jizba, the ESET researcher who discovered and analyzed Telekopye, said: “Fraudsters achieve this by using compromised accounts of legitimate hotels and accommodation renters on the platforms, most likely obtained by buying stolen credentials on cybercrime forums. Using their access to these accounts, fraudsters select and target users who have recently booked accommodation and have not yet paid (or have paid very recently). This approach makes the scam much harder to spot, as the information provided is personally relevant to the victims and the websites look as expected. The only visible sign that something is going wrong are the URLs of the websites that do not match the legitimate websites being impersonated. Before filling out any form related to your booking, always make sure that you have not left the official website or app of the platform in question. Being redirected to an external URL to proceed with your booking and payment is a strong indication of fraud.”  he said.

Dozens of cyber criminals arrested

In addition to diversifying their target portfolio, the Neanderthals also sought to improve their tools and operations to increase their profits. In late 2023, after ESET Research published its two-part series on Telekopye, Czech and Ukrainian police arrested dozens of cybercriminals using Telekopye, including key players, in two joint operations. Both operations were aimed at unspecified Telekopye groups that, according to police estimates, had amassed at least €5 million since 2021.